This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have 2 PCs each running X-Lite 4.O softphones in combination with ZFONE v0.92 build 218. Both are connected to an Asterix Softswitch. A PC is running Fedora with Wireshark 1.4 able to decode SRTP packets(In preferences, "Try to decode RTP outside of conversation" etc..) with filter applied for SIP, RTP and SRTP. This PC is connected in bridge mode between the Asterix and one of the softphone PC.

I have the following strange behaviour: As per ZFONE Displays, secure connection can be established between both parties. The call flow reported by Wireshark is inline with ZRTP IETF specs BUT no SRTP packets are visible (only RTP packets are exchanged between the parties.)

I first though that wireshark is not able to decode SRTP packets at all. Hence, I replaced the X-lite phones with eyeBeam: in fact, SRTP is not supported natively by X-lite and I wanted to force SRTP traffic to be exchanged (eyeBeam does support TLS/SRTP) I deactivated ZFONE and initated a call: SRTP packets were reported.

Who can help ? the ZFONE is intended to generate a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP)

Thanks

asked 25 Sep '10, 14:46

Aspirin's gravatar image

Aspirin
16112
accept rate: 0%


If you look closely at the initial RTP packets in the ZFONE session, you'll see they're odd. You have to set the preferences for the RTP dissector to see these type 0 packets as ZRTP packets.

Furthermore the RTP dissector can't really see that RTP packets are really SRTP packets when looking at the packets themselves, it has to be taken from the session signaling. This is done from the SIP/SDP dissector, but not from the ZRTP dissector.

You could file an enhancement bug, with sample captures of your ZRTP session, so this can be added to Wireshark. (I would love to see some captures :-) )

permanent link

answered 25 Sep '10, 22:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks Jaap. I can forward you the traces. Please just advise how to proceed (Size of the File is 260 KB)

Not sure in my case, that, when using Zfone, the session signaling can help to determine if the RTP packet is in fact an SRTP packet.

The only difference I have noticed is the size of the RTP packets: 180 bytes prior ZRTP session is established and 184 byte after the Conf2Ack message.

I am (very) happy for any related info

Cheers

(27 Sep '10, 06:24) Aspirin

You can: - File a bug at https://bugs.wireshark.org - You can send it straight to me, see my profile

Indeed, one has to look in the RTP packets to see ZRTP session establishment, which is done in-band.

Those 4 extra bytes look like the 32bit authentication tag

(27 Sep '10, 08:30) Jaap ♦

This feature was added in revision 34277, see http://www.wireshark.org/lists/wireshark-commits/201009/msg00241.html

(28 Oct '10, 04:06) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×9
×1
×1

question asked: 25 Sep '10, 14:46

question was seen: 4,751 times

last updated: 28 Oct '10, 04:06

p​o​w​e​r​e​d by O​S​Q​A